Unsecured Microsoft Bing Server Leaks Search Queries, Location Data

microsoft bing server data exposed

Data exposed included search terms, location coordinates, and device information – but no personal data.

An unsecured database has exposed sensitive data for users of Microsoft’s Bing search engine mobile application – including their location coordinates, search terms in clear text and more.

While no personal information, like names, were exposed, researchers with Wizcase argued that enough data was available that it would be possible to link these search queries and locations to user identities — giving bad actors information ripe for blackmail attacks, phishing scams and more.

The data was related to the mobile-app version of Microsoft Bing, housed in a 6.5 terabyte (TB) server owned by Microsoft. Researchers believe the server was password-protected until Sept. 10, two days before they uncovered the issue on Sept. 12. Microsoft was alerted to the exposed data on Sept. 13, and secured the server on Sept. 16.

While they did not calculate how many users were specifically affected, the researchers noted that there have been more than 10 million downloads of the Bing app on Google Play alone, with millions of mobile searches performed daily.

“Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk,” said Chase Williams, researcher with Wizcase, in a Monday post. “We saw records of people searching from more than 70 countries.”

But when Threatpost reached Microsoft for comment, the company argued that the amount of data exposed was “small.”

“We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed,” a Microsoft spokesperson said. “After analysis, we’ve determined that the exposed data was limited and de-identified.”

In addition to users’ search terms that were in clear text, the server also revealed the time of the search being executed, Firebase Notification Tokens (allowing developers to send notifications to specific devices), device models, a partial list of the URLs visited from search results, coupon data that included information about when a coupon code was copied, operating system data and unique ID numbers (including ADID, which appears to be a unique ID for a Microsoft account, deviceID and devicehash).

Researchers also found that precise location data (within 500 meters) was exposed – if the location permission is enabled by users on the app.

“While the coordinates exposed aren’t precise, they still give a relatively small perimeter of where the user is located,” said researchers. “By simply copying them on Google Maps, it could be possible to use them to trace back to the owner of the phone.”

Of note, Bing users’ personal information — including their names — was not exposed; and, users who entered search queries in private mode were safe from the incident, researchers said.

Researchers also claim that between Sept. 10 through Sept. 12, and on Sept. 14, the server was targeted by a “Meow attack.” A Meow attack refers to ongoing attacks that started earlier in July and left 1,000 unsecured databases permanently deleted. The attack leaves the word “meow” as its only calling card, according to researcher Bob Daichenko. Meow hackers also recently targeted a Mailfire server that was misconfigured and left open.

“From what we saw, between September 10th – 12th, the server was targeted by a Meow attack that deleted nearly the entire database,” Wizcase researchers said. “When we discovered the server on the 12th, 100 million records had been collected since the attack. There was a second Meow attack on the server on September 14.”

Threatpost reached out to both Wizcase and Microsoft for further comment on this attack.

In addition to the Meow hackers, this data was potentially exposed to other types of hackers and scammers, which could lead to a variety of blackmailing and phishing attacks against users of the Bing mobile app, researchers warned – particularly when it comes to search queries.

“Whether it’s searching for adult content, cheating on a significant other, extreme political views or hundreds of embarrassing things people search for on Bing,” said researchers, “once the hacker has the search query, it could be possible to find out the person’s identity thanks to all the details available on the server, making them an easy blackmail target.”

The exposure of location data could also open victims up to physical attacks or robberies, researchers said.

“The cybercriminal will not only know the users’ daily routine, but they can also have information as to whether you have cash or expensive items with them, based on the search queries,” they said. “For example, if one were to search for where to buy an expensive item or directions to store, the attacker could be ready to steal the item.”

Suggested articles

Discussion

  • Mary Rettig on

    How do I fix this issue
  • Suzan Lucas on

    And how do we as individuals fix this problem. Knowing that many such incidents are minimized, down played and glossed over, how can we be sure our devices and information are protected and at what expense. Waiting for an answer Microsoft.
  • steven leighton on

    How is Microsoft going to make this right for our potential, pain and suffering? We are at risk now. LOCATION details are dangerous in the wrong hands. We trusted Microsoft, now i hope they earn that trust with some restitution. They have the money!
  • Martin loy Farnsworth on

    on September 24 my email password and personnel were breached and I believe my credentials have been clearly affected due to the Microsoft account which I have ever since I been getting suspicious activity and even was taken for 200.00 on my gift card for eBay i still have not got my money nor have the issues stopped and ultimately putting my personal info at risk im needing a whole new ss# driver license# name and pretty much credit ruined forever by the latest breach. still have not recovered from experian breach and now no compensation this round either
  • Tabitha hiben on

    Yes a fix a good fix this is not good. Been hacked a bunch of times an I spent money to fix an nothing.
  • B.thompson on

    Considering the only information that was obtained was search data and relative locations, this breach cause none of your issues. So someone got my location and what I searched for, but not my name, phone number, credit card numbers, social security, or drivers license number. Basically, they got useless information.
  • Diana on

    I want to keep what I have in my email,text cellphone and others too!
  • Tara on

    My account got hacked. And I can’t get into my emails for 2 months now. I lost out in so much stuff. Also pictures. And now my whole phone was hacked and I’m being harassed and threaten. Yet Microsoft don’t do anything for me. My msn. Account is blocked. And I been writing them for months. They tell me what to do yet it don’t work. What do I do????? Clearly everything I done isn’t working. And at this point it’s to go to cops and press charges. But what do I get for all this pain and suffering???? And lost out on jobs and all my bills and school accounts are in that. And some things I can’t change. Like what is the next step. Cuz it’s crazy and getting worse everyday. Thanks.
  • Anonymous on

    Do a security search on any button before you click on it.
  • Sada Thomas on

    I would like someone to help me fix my issue. My family thought I was crazy. I watched my device unlock before my eyes and changed every password I had. It was a nightmare
  • Elizabeth Temin on

    Someone is sending texts to a group of 20 people using my cell phone number. I am getting texts from multiple numbers that begin with 904-327- complaining that they are getting texts from me that I didn't send. How can I stop someone from spoofing my number?
  • Melissa Wood on

    My reply to everyone is that now all major companies are all joined together Yahoo, Microsoft Corp., Amazon Web Server, Google LLC., even Alphabet Inc. through Github.com. IAM-db2 is my user name. I am the enterprise server pin service primary account holder I own the 2048 Root Certificate Authority, Boston CyberTrust Root Certificate Authority, L1K Certificate Authority Installer through Boost Mobile. My ex-boyfriend/high school friend hacked my accounts. I had a Google, Yahoo, Outlook account. These companies purposely protect the hackers. In fact Google has groups that promote hacking, the event is "Hackathon". I know because I am the owner of the target device "null". Null meaning void. The hackers take the data leaving empty files to 0B. I just had another hack and they took over 130 apks. My device needs these vital files that act as important files to operate the cloud shell engine. It might take me a day or 2 to regain the online operational status report. Most of it is for crypto mining purposes. I'm not sure how to stop them except to expose them. If you believe I should then well every company will be exposed no one is safe really. Even iPhones are hackable if the device is stolen and hooked up to a PC.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.